Transcript Targeted Security Training

Healthcare Security
Compliance: More Than a
Check In The Box
Todd Fitzgerald CISSP,
CISA,CISM, CGEIT, PMP
ISO27000 and ITIL V3 Certified
National Government Services
PMO & Strategy/Technical Audit
& Compliance
Milwaukee, WI
HIPAA Collaborative of
Wisconsin
October 15, 2010
A Little ‘Presentation
Disclaimer’ …
The opinions expressed are solely
the opinions of Todd Fitzgerald
and do not necessarily
represent the opinions of his
employer. You may or may not
want to adopt the these
concepts in your organization.
Use a risk-based approach
before attempting
this at home.
HOW MANY ARE
HIPAA COMPLIANT
WITH THE
SECURITY RULE?
3
Today’s Objective
• PART 1: What We Must Be Aware Of
TODAY
• PART 2: Applicable Laws,
Regulations, Standards
• PART 3: Anatomy of An Audit
• PART 4: What Is A Good Control?
• PART 5: Key Problem Areas
4
Security Audits Necessary
To Ensure Controls Are Functioning
Audit
Implement
Policies &
Controls
Audit
Assess Risk &
Determine Needs
Central
Management
Promote
Awareness
Source: “Learning from Leading Organizations”
SGAO/AIMD-98-68 Information Security Management
Audit
Monitor &
Evaluate
Audit
Refresher: Security Officer Job
Description
Job description:
This position will represent the information protection program of the’ region and requires the ability to understand business issues
and processes and articulate appropriate security models to protect the assets of and entrusted to. A strong understanding of
information security is necessary to manage, coordinate, plan, implement and organize the information protection and security
objectives of the’ region. This position is a senior technical role within our information protection and security department. A highlevel of technical and security expertise is required and will be responsible for managing information security professionals. This
position will play a key role in defining acceptable and appropriate security models for protecting information and enabling secure
business operations. This person must be knowledgeable of current data protection best practices, standards and applicable
legislation and familiar with principles and techniques of security risk analysis, disaster recovery planning and business continuity
processes and must demonstrate an understanding of the management issues involved in implementing security processes and
security-aware culture in a large, global corporate environment. He or she will work with a wide variety of people from different
internal organizational units, and bring them together to manifest information security controls that reflect workable compromises as
well as proactive responses to current and future business risks to enable ongoing operations and protection of corporate assets.
RESPONSIBILITIES INCLUDE: • Manage a cost-effective information security program for the Americas region; aligned with the
global information security program, business goals and objectives • Assist with RFP and Information Security responses for clients •
Implementing and maintaining documentation, policies, procedures, guidelines and processes related to ISO 9000, ISO 27000, ISO
20000, European Union Safe Harbor Framework, Payment Card Industry Data Protection Standards (PCI), SAS-70, General
Computer Controls and client requirements • Performing information security risk assessments • Ensuring disaster recovery and
business continuity plans for information systems are documented and tested • Participate in the system development process to
ensure that applications adhere to an appropriate security model and are properly tested prior to production • Ensure appropriate
and adequate information security training for employees, contractors, partners and other third parties • Manage information
protection support desk and assist with resolution • Manage security incident response including performing investigative follow-up,
assigning responsibility for corrective action, and auditing for effective completion • Manage the change control program • Monitor
the compliance and effectiveness of Americas’ region information protection program • Develop and enhance the security skills and
experience of infrastructure, development, information security and operational staff to improve the security of applications,
systems, procedures and processes •
… The Complete Job Description!
Direct senior security personnel in order to achieve the security initiatives • Participate in the information security steering
and advisory committees to address organization-wide issues involving information security matters and concerns, establish objectives and set
priorities for the information security initiatives • Work closely with different departments and regions on information security issues • Consult with
and advise senior management on all major information security related issues, incidents and violations • Update senior management regarding
the security posture and initiative progress • Provide advice and assistance concerning the security of sensitive information and the processing of
that information • Participate in security planning for future application system implementations • Stay current with industry trends relating to
Information Security • Monitor changes in legislation and standards that affect information security • Monitor and review new technologies •
Performs other Information Security projects / duties as needed MINIMUM QUALIFICATIONS: Transferable Skills (Competencies) • Strong
communication and interpersonal skills • Strong understanding of computer networking technologies, architectures and protocols • Strong
understanding of client and server technologies, architectures and systems • Strong understanding of database technologies • Strong knowledge of
information security best practices, tools and techniques • Strong conceptual understanding of Information Security theory • Strong working
knowledge of security architecture and recovery methods and concepts including encryption, firewalls, and VPNs • Knowledge of business, security
and privacy requirements related to international standards and legislation (including ISO 9001, ISO 27001, ISO 20000, Payment Card Industry
data protection standard (PCI), HIPPA, European Union Data Protection Directive, Canada’s Personal Information Protection and Electronic
Documents Act, SAS-70 Type II, US state privacy legislation and Mexico’s E-Commerce Act) • Knowledge of risk analysis and security techniques •
Working knowledge of BCP and DR plan requirements and testing procedures • Working knowledge of Windows XP/2000/2003, Active Directory,
and IT Infrastructure security and recovery methods and concepts • Working knowledge of Web-based application security and recovery methods
and concepts • Working knowledge of AS400 security and recovery methods and concepts • Working knowledge of PeopleSoft security and
recovery methods and concepts • Working Knowledge of anti-virus systems, vulnerability management, and violation monitoring • Strong multitasking and analytical/troubleshooting skills • Knowledge of audit and control methods and concepts a plus • Knowledge of SAS-70 audit
requirements a plus • Knowledge of ISO 9001 requirements a plus • Knowledge of ISO 27001 requirements a plus • Knowledge of ISO 20001
requirements a plus • Knowledge of COBIT requirements a plus • Knowledge of EU / Safe Harbor requirements a plus • Knowledge of Linux
security a plus • Knowledge of VB.NET, C++, JAVA, or similar programming languages a plus • Proficient in MS-Office suite of products •
Professional, team oriented Qualifications • Bachelor’s Degree (B.A., B.S.), or equivalent combination of education and experience in Information
Security, Information Technology, Computer Science, Management Information Systems or similar curriculum • 7+ years of Information
Technology or Information Security experience, including at least 5 years dedicated to Information Security • 2+ years of Travel Industry
experience preferred • Must be a Certified Information Systems Security Professional (CISSP) • Certified Information Security Manager (CISM)
preferred • Strong organizational, time management, decision making, and problem solving skills • Strong initiative and self motivated professional
• Professional certifications from ISACA, (ISC)2, or SANS preferred • Experience with ISO certified systems a plus
In Other Words…
• Assess the risks
• Understand laws,
regulations,
standards
• Understand the
technology
• Develop alternatives
• Implement one or
more solutions
• Evaluate residual
risk
8
Why We Care… 2010 Security
Threats
• Phishing reports (40,621), 56,362 unique websites, 341
high jacked brands set record in August
• Russia (13%), Brazil 8.6%) now top two sites creating
attack traffic, with US (6.9%) and China (6.5%) dropping 2
positions
• Sophisticated, distributed malware
• Mobile banking attacks on smart phones
• Social Media sites used to learn about targets, deliver
malicious content
• SQL Injection (19% of breaches in 2009 per Verizon)
• Home users transferring malware
• Adobe Reader and Flash Replacing MS Office as target
• Zero-day exploits released on IE in Nov/Dec
Source: Akaimi State of The Internet; Anti-Phishing WorkGroup, McAffee Predictions
Data Breaches Cost $204/Record
in 2009, NO CISO $236, CISO $157
– $750K-$31 Million per
incident
– 24% due to botnets/
malicious attacks
(doubled from 2008)
– First time Malware
exceeded user
negligence
– 42% involved 3rd
parties
– 36% involved a mobile
device
$135 Lost Business
$8 Breach Detection
$15 Notify Victims
$46 Monitoring
Source: Ponemon Institute, 2010
“RockYou.com Hacked For 32.6
Million Passwords
• Provider of
services for
FACEBOOK and
MYSPACE
• Hacker ‘igigi’
breaks into
database of
32.6 Million
Records
• SQL Injection
• Hacker posted
partial results
Reactive Security Follows Breach
RockYou has become aware of ongoing unauthorized attempts to access the same
user data identified in previous reports. RockYou is working to promptly notify
our members of these ongoing attempts via email and posts to our Web site. The
company is continuing to work with law enforcement to identify the perpetrators.
As we stated in our earlier communications, we recommend that all users change
their passwords and take other measures to protect their privacy.
RockYou has put in place measures to protect user data, including encrypting all
user data and upgrading our security infrastructure. We will also be working with
an outside security consulting firm to analyze and improve our security
environment. We will continue to assess our security protocols and improve upon
them.
We apologize for any inconvenience this has caused our user base and assure our
dedicated users that we continue to take their privacy seriously.
The RockYou team
Incident Revealed that the Most
Common Password Was… ‘123456’
1.
2.
3.
4.
5.
290,731 ‘123456’
79.038 ‘12345’
76,790 ‘123456789’
61,958 ‘password’
Followed by Princess,
Rockyou,
abc123,daniel,nicole,b
abygirl,monkey,jessic
a,lovely,michael,ashle
y,654321,and
QWERTY.
Source: Imperva Application Defense Center
Factors Causing Breaches…In 1
Month Alone
Third Party
Financial Firm
Burglarized
Opened accounts
with 10 employee
stolen data
Ukraine hackers
took control of
web domains,
redirected traffic
Intercepted
payroll mailing to
annuity company
Laptops stolen
from cars, locked
offices
Office backup
drive stolen
Emails to
personal email
SSN spreadsheet
Temp worker
steals flu shot
records
Financial info
from unsecured
dumpster
Playlist on MP3
player at thrift
shop- US Soldiers
SSNs in US Govt
sold filing cabinet
Source: www.privacyrights.org
In Our Own Backyard…Milwaukee-based
Koss CFO Indicted for Embezzling $31M
• $4.5M on clothing
– 461 Boxes of
shoes
– 34 Fur Coats
– 65 Racks of
clothes
• Wire Transfers to
personal account
• Possible 120
Years In Prison,
restitution, $1.5M
in fines
Emerging Technologies
• Social Media
– LinkedIn
– Facebook
– Twitter
• Virtualization
• Cloud Computing
• Mobile Devices
Today's Data Demand: The Right Data, At
The Right Time, At The Right Place…
• 1980
– Can We Get A Report Run Off the
Mainframe?
• 1990’s
– Decision Support Systems, End User
Queries
– Synchronized To PDA
• 2000’s
– Laptops, FedEx CDs
• 2010’s
– Smart Phones, Cloud applications,
Virtual Working Environments,
Convergence
Where Is The Data Today?
Sylvia
Julie
Dena
Marc
Programming Team
Stan
Source: Steve Fried, Mobile Security, Reprinted with Permission
The Evolution of Technology
over almost 3 decades
• Huggable
Luggables
introduced in
1983
• Spreadsheet
primary use
• 128K Memory
19
Mobile Computing Is Taking
Center Stage
• “Office less” workat-home
• Telecommuters
• Road Warriors
• Employees at work
working in
distributed
environments
• After hours work at
home
20
RECENT STUDY OF WORKERS
AT HOME REVEALED THEY
WORKED 19 MORE HOURS A
WEEK WITHOUT NEGATIVELY
IMPACTING FAMILY
OF COURSE…
THERE WILL ALWAYS
BE EXCEPTIONS…
There Are Inherent Risks
Previous Generation Mobile
Device Risks Limited
• WAP-enabled cell
phones
• Personal Digital
Assistants
• Wireless Data Entry
Systems
Now They Have The Same Risks
As Conventional Systems
• Complete operating
Systems
• Specially-built
Applications
• Users physically
removed from
immediate security
staff control
More Viruses
More Malware
Less Sophistication Required
25
Different Ways of Approaching The
Problem – Data vs. Device Centric
Different ways of approaching the problem
Device Centric
22
Data Centric
© 2010 Stephen Fried. Reproduction prohibited without written permission.
Data Is Not Static
Data At Rest
Data In Motion
Devices Are Converging
•
•
•
•
•
Cell Phones
Cameras
Televisions
Game Consoles
DVRs, DVD
Players
• Ipods, IPads, I-?
• Why???
This Company Was One of The
Biggest Contributors….
The Connected World We Live In
Changes The Role of ‘The Device’
7
©
The Workforce THINKS Differently
• Baby Boomers (1946-65) loyal,
dependable, workaholics
• Gen Xers (1965-1980) cynical
& independent, reject rules
• Gen Y (1980+) short attention
span, tech savvy
The Same Security Question
Arises.. Our Customers Want It…
How Do We Enable It?
Smartphones: Hacker Opportunity
• UK Dept of Trade
Survey:
– More than 50% of
companies do not
have any controls for
securing company
data on
Smartphones
• Few have invested
in technology
Smartphone Application
Vulnerabilities
• Weak or no authentication (single user
context)
– Default passwords
– Very few characters
• Missing security functions
–
–
–
–
–
–
Data Encryption
Auditing
Padlocks on Web Browsers
Security Updates
Applications not limited in what they can access
Apps can cause DOS by draining battery
• Unable to determine if Malicious until
downloaded!
Major SmartPhone Security
Controls
•
•
•
•
•
•
•
•
•
•
Appropriate Policy &
Standards
Anti-virus and anti-spyware
Remediation of
vulnerabilities
Strong authentication
Encrypted transmissions
VPN, SSH, SFTP
Secure Wireless Application
Protocol Gateways
Personal Firewalls
Hard Drive Encryption
Regular backups
Security Training &
Awareness
Important Audit Questions
• Risk Assessment
• Targeted security
awareness training?
• Random audits of
devices & applications?
• Power-on password?
• Personal devices
prohibited?
• Know how to report lost
device?
• Stored securely?
• Security Assessment
tools?
• Independent tests
nse?performed?
• Policy storing sensitive
data? Encrypted? Backups?
• Default passwords
• Policy downloading
untrusted applications?
• Communication ports turned
off when not in use?
• Anti virus updated? Antispyware?
•
•
•
•
Procedures for finding pirated
mobile apps exist? Enforced?
Prohibitions against
Jailbreaking?
Vulnerability Remediation
Process?
Systematic incident response?
Sounds Familiar…
May Not Be
Pretty Getting
There…
PART 2: Laws, Regulations,
Standards
38
There Are The U.S.
Government Regulations
That We Are Familiar With…
• NIST 800-53 Controls
• FISMA (Federal Information
Security Management Act
2002)
• HIPAA Final Security Rule
• Medicare Modernization Act
of 2003 (Section 912)
• DISA Security Technical
Implementation Guides
(STIGs)
• IRS Regulations
…And These
• Graham-Leach-Bliley (GLBA)
• Sarbanes-Oxley
• NERC Critical Infrastructure
Protection
• Federal Financial Institution
Examination Council (FFEIC)
• Federal Information System
Controls Audit Manual
(FISCAM)
…And International Control Standards
/Frameworks/ and of Course [insert here]
Practices
• ISO27001/2 Information Security
Management System (ISMS)
• Control Objectives for Information
and related Technology (COBIT
4.1)
• Payment Card Industry Data
Security Standard (PCI DSS 1.2)
• Information Technology
Infrastructure Library (ITIL)
• Vendor Guidance
And More Laws & Regulations
Which Impact Privacy
• Children’s Online Privacy
protection Act of 1998
• Consumer Credit Reporting
Act of 1996
• Driver’s Privacy Protection
Act of 1994
• Electronic Funds Transfer
Act
• European Union Data
Protection Directive of 1995
• Fair Credit Reporting Act of
1999
• Telemarketing and
Consumer Fraud Abuse Act
• Family Educational Rights
& Privacy Act (FERPA)
• Federal Trade Commission
Act (FTCA)
• Freedom of Information
Act
• Privacy Act of 1974
• USA Patriot Act of 2001
Health Information Technology for Economic
and Clinical Health Act (HITECH) Increases
Security and Privacy Protections
• Mandatory penalties
for willful neglect
• New rules for
‘unsecured breach’
–
–
–
–
–
• Business associates
must comply with
security rule
– Follow safeguards
– Report incidents to CE
– Civil and Criminal
penalties
Patients notified
HHS notified >500
Website posting
• HHS Required to
Local Media
provide audits of CE’s
Internal vs. External
and BA’s
• Providers with EHRs • Penalties increased to
must provide ePHI for
$250K, 1.5M for
cost of labor
repeated violations
State Attorney Brings First Cause of
Action under HITECH Act Jan 13, 2010
PCI DSS V1.2 Requirements
Build & Maintain a Secure
Network
• Install/maintain firewall configuration
• Don’t use vendor-supplied defaults
Protect Cardholder Data
• Protect stored cardholder data
• Encrypt across open networks
Maintain a Vulnerability
Management Program
• Use and regularly update anti-virus
• Develop secure systems/applications
Implement Strong Access
Control Measures
• Restrict access by need-to-know
• Assign unique ID to each person
• Restrict physical access
Regularly Monitor & Test
Networks
• Track and monitor all access
Maintain an Information
Security Policy
• Policy must address infosec
• Regularly test security systems/processes
Part 3: Anatomony Of An Audit
Agreed
Upon
Procedure
1.
2.
3.
4.
Planning
Onsite Arrival
Execution
Entrance/Exit/Stat
us Conferences
5. Report
Issuance/Remediat
ion
Request
List
Sample
Selection
Testing
Findings
Corrective
Action
46
ANATOMY OF AN AUDIT
1. PLANNING
• Receive Prepared By
Client (PBC) List; Client
Assistance List (CAL)
• Review
Requests/Clarify Scope
• Assign to Dir/Mgr/SME
• Create Directory
Structure
• Schedule Interviews
47
Policies & Procedures Requested For
24 e-PHI Security-Related Issues
•
•
•
•
•
•
•
•
•
•
•
•
Establish/Terminate User Access
Emergency IT System Access
Inactive Sessions
Recording/examining activity
Risk Assessments
Employee violations/sanctions
Electronic transmission
Incident
prevention,detection,containing
Regular access review
Security violation logging
Monitoring systems and network
Physical access to systems
•
Types of security access
controls
• Remote access
• Internet usage
• Wireless security
• Firewalls, routers, switches
• Physical security repair
• Encryption/decryption
• Transmission
• Password and server
configurations
• Antivirus software
• Network remote access
• Patch management
Documentation Requests…
•
•
•
•
•
•
•
•
•
Information systems,
network diagrams
Terminated employees
New hires
Encryption
mechanisms
Authentication
methods
Outsourced/contractor
access
Transmission methods
Org chart for IT,
Security
Systems Security Plans
•
All users with access,
including rights
• System Administrators,
backup operators
• Antivirus servers
• Internet access control
software
• Desktop antivirus software
• Users with remote access
• Database security
requirements/settings
• Domain controllers, servers
• Authentication approaches
The Auditors Have Landed…
2. ONSITE
AUDITOR
ARRIVAL
• Entrance
Meeting
• Internet
Connections
• Develop
‘communication
protocol’
• Establish
start/end/status
dates
50
What? Didn’t I Give That To You
Already? (Maybe..Maybe Not)
• Track every
communication
• Obtain requests
in writing
• Encrypt all files
• Schedule all
follow-ups via
central person
• Review, Review,
Review
3. EXECUTION
51
Surprises are for Birthdays &
The Holidays, Not Audits
4. ENTRANCE
CONFERENCES/S
TATUS
CALLS/EXIT
CONFERENCE
52
• Daily Status
Calls
• Weekly Status
Reports
• No Surprises?
• Risk Ranking of
Issue
Remediation of Findings
Should Be Swift
• Final Draft Report
• REPORT
ISSUANCE/REME • Management
Response
DIATION
• Prior Finding
Closure
• Corrective Action
Plan (CAP)
• 5 Business Days
• 30 Calendar Days
• 90 Calendar Days
• Ink Is Now Dry
53
PART 4: A Good Control
Discussion
54
PART 5: Audit Problem Area
Discussion
55
Problem Area #1:
Policies/Procedures
• Process Changed MidAudit Cycle
• Not updated
• No Revision History
• Improper Management
Approval
• Inability to retrieve
w/Revision History
• Not Followed
56
Problem Area #2: Security
Baseline Configurations
• Not compliant with
latest standard (i.e.,
FDCC, DISA)
• Not documented
• No monitoring
• No management
approval
• New servers, test
servers out of
compliance
57
Problem Area #3: Software
Patching
• Critical security patches
not applied timely (7,15,30
days)
• Adobe, vendor products
• Servers, Desktops,
network devices not
consistently patched to
latest levels
• Time to test patch
• Monitoring used to fix
servers?
58
Problem Area #4: Lack of
Software Testing
• Applies to all
production
applications
• Every program should
be tested within X
years or when changed
• Documented
processes followed
59
Problem Area #5: Change
Control
• Segregation of duties
–
–
–
–
–
Requestor
Developer
Implementer
Tester/End User
Change Control/CCB
• Approvals before
production
implementation
• Emergency Requests
• Signoffs
60
Problem Area #6: User Access
Administration
• Too much access for
function
• Unapproved Access (no
documentation)
• Terminations too long (> 3
days)
• Lack of recertification of
access
• Scope not including all
platforms
• Transfers
• Contracted background
checks
61
Problem Area #7: Vulnerability
Assessment/Pen Testing
• Will always find
something… always
• Schedule after hours
• Schedule during nonproduction
• Limit testing period
• Contracts
62
Problem Area #8: Media
Sanitization
• Include copiers, scanners,
fax machines, routers,
servers, USB drives, CDs,
desktops, laptops…
• Tapes/Documents
shredded onsite
• Inventory assets
• Document
sanitization/disposal
• Encrypt everywhere
63
Problem Area #9: PHI
Disclosure/Incident Handling
• Encrypt all external email
• Establish Incident
discovery reporting within
1 hour
• Escalation processes
• Retain written actions
• Automate
monitoring/correlation
process
• Management reporting
• Documentation of follow-up
64
Remember The Earlier
Issue?…
NIST 800-124 Issued Guidance
For Smart Phones….
• Organization-wide policy for mobile
handheld devices
• Risk assessment and management
• Security awareness and training
• Configuration control and management
• Certification and accreditation
• Apply critical patches and upgrades
• Eliminate unnecessary services and
applications
• Install and configure additional
applications that are needed
More NIST 800-124 Guidance
• Configure resource controls
• Install content encryption, remote content erasure,
firewall, AV, intrusion detection, antispam,VPN
software.
• Perform security testing
• User control of device, backup frequently
• Enable non-cellular wireless access only when
needed
• Report and deactivate compromised devices
• Enable log files for compliance
•
… and the list goes on…
JUST LIKE BLOWING
BUBBLES…
Just When Security
Problem Gets
Bigger
Another Never
Materializes
And Another Bursts
- Good Luck!
68
Thank You For Your Participation!
[email protected]
[email protected]
WWW.linkedin.com/in/toddfitzgerald